It is funny, even after previous awareness messages, I have received requests to "...disable MFA for the service account..." (actually EntraID user account) "...because it cannot authenticate in Azure and scripts are failing due to MFA...". - ThreadSky

About ThreadSky

It is funny, even after previous awareness messages, I have received requests to "...disable MFA for the service account..." (actually EntraID user account) "...because it cannot authenticate in Azure and scripts are failing due to MFA...".

Comments

jeftek.com•104 days ago

It's amazing how adding additional security control requirements identify all the activity that was being done with just a password.....

gupi-ro.bsky.social•104 days ago

Yep, all the skeletons in the closet 🤭

alexmags.bsky.social•103 days ago

Service accounts were the safest way for automation scripts to authenticate because you could apply CA policies to limit use to specific IPs or devices. But now you can buy Workload Identity licences and protect app registrations with CA policies too. Time to switch.

alexmags.bsky.social•103 days ago

Workload Identity feature licences not expensive. Limits access in case secret gets compromised. Alternative to service accounts that bypassed MFA but compensated with network location CA policies.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/workload-identity

gupi-ro.bsky.social•103 days ago

Thanks Alex! Neither costs, nor will are the problem (it's hard to change a wheel to a one-mile moving train!)

brodersen.cloud•104 days ago

If only that was the only problem. I’m working with a team that are still using legacy authentication in one of their apps and they have no plans of upgrading to a more modern way of using service principals.

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply